Thousands of Aussie websites exposed in hack attack

Asher Moses and Ben Grubb

Thousands of Australian websites are vulnerable to being taken over by hackers following a break-in at Australian domain registrar and web host Distribute.IT, security experts say.

It comes as the hacker group LulzSec followed up yesterday's attack on the CIA's website by today releasing 62,000 email addresses and passwords. A number of the leaked login details related to .com.au addresses and several government departments and councils.

Distribute.IT was hacked on Saturday in a "deliberate, premeditate and targeted attack", the company said. Almost an entire week has elapsed since then and the company has still been unable to get its website online, explain what happened or notify customers of any stolen data.

It is unclear exactly how many Australian websites are hosted by Distribute.IT or how many domain names it manages, but Fairfax Media has seen a list of hundreds of customers and this is understood to be just the tip of the iceberg with thousands affected.

Advertisement

Complaints have already begun pouring in from affected businesses who are suffering as a result of the break-in.

'Killed my business'

"This new outage has probably killed my business, with over 40 of my clients running a special promotion on the web this weekend that is going to be a total bomb," wrote a user on the Whirlpool forums.

Another wrote: "They've been going down far too often these last few months ... My business can't sustain any more downtime."

Ty Miller, chief technology officer at security firm Pure Hacking, said thousands of Australian websites were vulnerable to having their domain names redirected to malicious sites as a result of the hacking incident.

In addition to this, Miller said, those companies that had their websites hosted on Distribute.IT's servers were vulnerable to every piece of their data being stolen, including databases containing credit card information and usernames and passwords.

"A domain registrar is where you go to buy your domain name and basically they control where your [Domain Name System] server is so if I hacked into Distribute.IT I could hijack potentially thousands of websites by redirecting their DNS to a malicious site rather than the actual site," Miller said.

"The people who are hosted [by Distribute.IT] are also at risk but also their data is at risk as well because they could potentially have their websites defaced and their data in any databases compromised - they can have usernames and passwords stolen."

Owned by Evil

When the hacker initially broke in, it defaced Distribute.IT's website with the message "OWNED BY EVIL AT EFNET YOU MOTHER f****ers". Evil is the same hacker who recently broke into the University of Sydney's website. In that instance Evil admitted to hacking into the university from Brazil for money.

The company said it was "unsure on any data loss" and that its office communications - including phone and email - had been affected. It added that it was "confident of providing authorities with usable information" to try to locate the hacker.

Distribute.IT's phone line went unanswered today and its website now redirects to a blog where the company is updating customers on its progress in investigating the hack. However, Miller and many others have criticised the company for failing to provide adequate detail, comparing it to Sony waiting a week before informing customers their accounts were exposed in the PlayStation Network attack.

Customers have also been criticising the company on the Whirlpool forums. "The lack of communication is the biggest drama. I have to face my customers as I do but they don't tell us what is going on inconsiderate pricks they just throw us to the sharks. I am over it," wrote one.

James Turner, security analyst at IBRS, was more sympathetic towards Distribute.IT.

"Their customers are hurting and so the organisation is trying to use its finite resources to strike a balance between: identifying the full extent of the problems, fixing them, communicating with stakeholders, and ensuring that they are not overlooking anything along the way," he said.

"And they're handling this crisis on top of everything that goes with the normal running of a business."

On Tuesday it said staff were working through all of its computer servers "one-by-one" to check for any problems. It said customers who had dedicated servers "should ensure that all administrative passwords to their servers" be changed.

Customers outraged

"Wolfcat", who appeared to be a customer of Distribute.IT, said on the Australian broadband forum Whirlpool on Sunday, June 5, that Distribute's email server and web hosting were slow and intermittent. Since then a number of odd outages have occurred on the Distribute network.

" ... This is getting ridiculous, Distribute seem to be spending more and more time down, but at least they are spending the same amount of time telling people what is going on ... which is none," Wolfcat said.

The last update to Distribute.IT's blog, posted last night, said that most of Distribute's services had been brought back online but that there was still more to do.

"Engineers advise they are down to the final server required to restore normal client domain, SSL, SMS, etc functionality," the company said, referring to customers being able to control their .au domain names as well as being able to complete other functions.

It said it would take between 24 and 48 hours before those services resumed. Data recovery on its shared services - which host many websites - was "continuing". "This is also a very long and complicated process and we are unable to give a definitive ETA".

A "large number" of customers who managed their own dedicated computer servers hosted at the company were now "fully operational", it said, "although we do note there are a couple that are still experiencing some issues".

Highlights risks of the cloud

Miller said that companies were rushing to put all of their information into the internet "cloud" without understanding that by connecting their databases to the internet they were exposing themselves to risks of serious attacks.

"If you're hosting your system in the same location as a random forum that's not being managed properly, if that forum gets hacked then that provides the attacker with a pretty good foothold to start hacking all of the other systems hosted at that hosting provider," he said.

Separately, in the email login details dump released by LulzSec overnight, both Australian personal email account details and a number of government addresses were exposed. These accounts included AusAID, the Victorian Department of Childhood and Early Education, Emergency Services Telecommunications Authority in Victoria and several local councils in NSW and Victoria.

A number of Australian university email logins were also exposed.

Alastair MacGibbon, a former Australian Federal Police cyber crime officer who now runs his own security consultancy, said the series of attacks by LulzSec highlighted that people and corporations needed to pay far more attention to their responsibilities around protecting personal information.

But he warned against glorifying the group and rejected LulzSec's justifications that it was hacking companies for "fun" and to draw attention to poor security.

"If the pickpocket says yeah I did it for fun what would you say to them? There is no doubt that what they and all the other compromises show is that we have a lot of room for improvement, but you don't thank the people who are breaking the law as part of that process and you certainly don't celebrate those people," MacGibbon said.

"The people they're harming by releasing this information isn't the big corporations - they're harming the people whose details they're actually putting online."

Are all systems vulnerable?

Some have suggested that the recent hack attacks prove that there is no security and that all systems are vulnerable. MacGibbon and Miller disagreed with this to an extent.

"There are hundreds of millions, billions of connected computers; of course they're going to find vulnerabilities in that. I don't think it shows the whole system is dead," said MacGibbon.

Miller said that LulzSec were exploiting flaws in software that hadn't been patched yet - known as 0days - and there was often little companies could do to prevent these from being exploited.

"It doesn't mean the security industry is a farce ... you can be secure it's just that there's always going to be a way around it," he said.

36 comments

the web has expended too fast with so many vulnerabilities new and old that is it now an impossible task to manage and secure it.

the long list of exploits at milw0rm makes one wonder what IT security processionals are paid for!!!!

Commenter

White Hat

Date and time

June 17, 2011, 12:19PM

If my site ends up being effected, hopefully it redirects to a giant ascii penis. That would be pretty awesome.

Commenter

HighlyDubious

Location

http://bassfreqs.com

Date and time

June 17, 2011, 12:23PM

I also think because the web has expended so fast it may have effected things.

Commenter

theadder

Date and time

June 17, 2011, 12:43PM

Wonder what the government will propose as a solution to this problem. A regulated internet? Online net identity?

It makes you wonder who is behind this.

Commenter

Orange

Date and time

June 17, 2011, 12:44PM

If you don't want to be hacked (or tracked!), stay off the Web.

Commenter

Max Gross

Location

xenoxnews.com

Date and time

June 17, 2011, 12:50PM

The world's security is in the toilet at the moment because business have been accepting of incomplete and buggy software constantly needing patching because we're too consumed with getting products to market. Every contract for Software Development includes coverage for a period of time for bug fixes. We've allowed the big businesses (M$ etc) to set the standard, that incomplete code is Ok to release and make profits on.

Commenter

GarageKid

Location

Melbourne

Date and time

June 17, 2011, 12:51PM

Great, now lulzsec is giving ammunition to politicians and screwing over the average chump on the net. They probably do do it for the lulz but it certainly is malicious.

Makes me wonder what our leaders now think of anonymous. Compared to lulzsec they look like saints!

Commenter

Mel

Location

Brisbane

Date and time

June 17, 2011, 12:53PM

From a customer's point of view, all I can say is - be careful people, and take internet security seriously! Recently a hobby website that I'm a member of was hacked. I changed my password like I was instructed to, and didn't think too much of it. But I'd had the same password on my iTunes account and a week later ... all my store credit disappeared! Thankfully iTunes refunded it without any fuss, but I shudder to think what would have happened if it had been my bank account, paypal account, etc.

This sort of hacking is horrible, malicious and should be stopped, but I figure it comes with the territory. We don't leave our wallet sitting on the front seat of our car because we know there are people out there who'll take advantage - we have to be the same with our online possessions, too.

Commenter

ktv

Date and time

June 17, 2011, 12:57PM

@Orange:"What will the government propose as a solution?"

Isn't it OBVIOUS?Slap a "price" on internet access, of course!

Hasn't that solved much more complex and global problems, like the "climate change"?

No?Ooops...

You mean it requires thought, intelligence and knowledge to resolve?

Dang, we'll have to outsource/offshore it!

Or else from now on, we'll only use carrier pigeons for internet communications and pigeon houses for web providers. At least that way we can shoot the lot if they cause trouble!

Commenter

Noons

Location

Sydney

Date and time

June 17, 2011, 12:58PM

All too often these sorts of organisations are either run by upper management that does not have a real handle on the security issues at hand, or those lower down that may be aware of the issues, but do not have the time to fix or properly secure such systems.

As upper management is pushing lower workers too hard already on direct revenue making activities, often understaffed (and over worked) developers or system engineers are not given the time to adequately protect systems or spend non-revenue @work time training themselves better in system security.

Sadly at the cost people want these sorts of services for here in Australia (hosting, web design, development), they cannot expect much in the way of dedicated security experts trawling the servers to ensure everything is secure. External developers or web designers hosting with such companies can range in experience, and frankly, brain power, and without a highly qualified third party checking every line of their code, one poor website can make an entire server vulnerable. Security is always the weakest link in the chain.

Anybody can call themselves a 'web designer' or 'web developer' and without a minimum standard of qualification or standards, yet unfortunately learning how to make the actual thing secure takes many years of practise and study.